[Samba] AD Integration drives me nuts
Mike
samba at protec-enterprises.com
Wed May 5 15:20:10 MDT 2010
Hi Dale and thanks for your quick reply.
Actually this didn't just help, it solved the whole freakin' issue! :)
I just wonder why testparm didn't wake me up on the "$" insted of the
"%". The double quotes on the groupnames are a nice touch though...
Thanks again for your help
--
Mike
On Wed, 2010-05-05 at 14:12 -0500, Dale Schroeder wrote:
> On 05/05/2010 1:38 PM, Mike wrote:
> > Hi
> >
> > This has keeping me up for days now and I can't seem to find a solution
> > in the various wikis, howtos and whatsoevers, so here's the plot:
> >
> > I have a W2K3 R2 x64 Domaincontroller (VM on vSphere4) and a CentOS 5.4
> > x64 fileserver (also a VM on vSphere4, same ESX-host), running Samba
> > 3.0.33-3.15.el5_4.1 (rpm installation out of the box).
> >
> > All I want to do is to have Samba authenticate against my DC. I've been
> > setting up Kerberos, Winbind and Samba according to the Wiki-Page
> > (http://wiki.samba.org/index.php/Samba_%26Active_Directory).
> >
> > Authentication seems to work (i.e if I logon to the server via ssh using
> > the AD-Account, everything looks fine and even the created homedirs are
> > assigned to the group "domain users") however, If i try to map a windows
> > share from a laptop running XPpro, Samba won't accept the user neither
> > for the homedirs nor for the datashare.
> >
> > So the big question is: where did I screw up and/or what did i forget?
> >
> > This is what my smb.conf looks like at the the moment:
> >
> > [global]
> > workgroup = PROTEC
> > realm = BSR.PROTEC-ENTERPRISES.COM
> > password server = dc01-v.bsr.protec-enterprises.com
> > preferred master = no
> > server string = Samba FileServer Version %v
> > netbios name = SAMBA-V
> >
> > # logs split per machine
> > log file = /var/log/samba/%m.log
> > # max 50KB per log file, then rotate
> > max log size = 50
> > log level = 3
> >
> > winbind separator = +
> > winbind enum users = yes
> > winbind enum groups = yes
> > winbind use default domain = yes
> > ; winbind nested groups = yes
> > ; winbind nss info = rfc2307
> >
> > security = ADS
> > encrypt passwords = yes
> >
> > idmap uid = 10000-20000
> > idmap gid = 10000-20000
> >
> > username map = /etc/samba/smbusers
> > # just to map the root account to the AD-Administrator account
> > # as well as the AD-Guest account to "nobody"
> >
> > template shell = /bin/bash
> > ; template primary group = "Domain Users"
> >
> > [homes]
> > comment = Home Directories
> > valid users = $S
> >
> Mike,
>
> I see a couple of syntax errors.
> You must prefix with the domain and separator. Also use %, not $.
> valid users = PROTEC+%S
> > readonly = no
> > browseable = yes
> >
> > [Data]
> > comment = New K-Drive
> > valid users = @PROTEC+domain users
> >
> Domain Users has a space, so you must enclose in quotes
> valid users = @"PROTEC+ Domain Users"
>
> See if this helps.
>
> Dale
> > path = /mnt/sambashares/filestore
> > writeable = yes
> > browseable = yes
> >
> >
> > And here's what's in the workstation-log (not that i understand any of
> > it...):
> >
> > [2010/05/05 14:34:39, 3] passdb/lookup_sid.c:store_gid_sid_cache(1151)
> > store_gid_sid_cache: gid 10013 in cache ->
> > S-1-5-21-1238498519-1179045160-1496349262-515
> > [2010/05/05 14:34:39, 3] passdb/lookup_sid.c:fetch_gid_from_cache(1107)
> > fetch gid from cache 10000 -> S-1-5-32-544
> > [2010/05/05 14:34:39, 3] passdb/lookup_sid.c:fetch_gid_from_cache(1107)
> > fetch gid from cache 10001 -> S-1-5-32-545
> > [2010/05/05 14:34:39, 3] smbd/sec_ctx.c:push_sec_ctx(208)
> > push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
> > [2010/05/05 14:34:39, 3] smbd/uid.c:push_conn_ctx(358)
> > push_conn_ctx(0) : conn_ctx_stack_ndx = 0
> > [2010/05/05 14:34:39, 3] smbd/sec_ctx.c:set_sec_ctx(241)
> > setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
> > [2010/05/05 14:34:39, 3] smbd/sec_ctx.c:pop_sec_ctx(356)
> > pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> > [2010/05/05 14:34:39, 3] lib/privileges.c:get_privileges(261)
> > get_privileges: No privileges assigned to SID
> > [S-1-5-21-1238498519-1179045160-1496349262-1124]
> > [2010/05/05 14:34:39, 3] lib/privileges.c:get_privileges(261)
> > get_privileges: No privileges assigned to SID
> > [S-1-5-21-1238498519-1179045160-1496349262-515]
> > [2010/05/05 14:34:39, 3] lib/privileges.c:get_privileges(261)
> > get_privileges: No privileges assigned to SID [S-1-5-2]
> > [2010/05/05 14:34:39, 3] lib/privileges.c:get_privileges(261)
> > get_privileges: No privileges assigned to SID [S-1-5-11]
> > [2010/05/05 14:34:39, 3] passdb/lookup_sid.c:fetch_gid_from_cache(1107)
> > fetch gid from cache 10013 ->
> > S-1-5-21-1238498519-1179045160-1496349262-515
> > [2010/05/05 14:34:39, 3] smbd/password.c:register_vuid(304)
> > User name: PROTEC+fx805-02-p$ Real name: FX805-02-P$
> > [2010/05/05 14:34:39, 3] smbd/password.c:register_vuid(325)
> > UNIX uid 10010 is UNIX user PROTEC+fx805-02-p$, and will be vuid 101
> > [2010/05/05 14:34:39, 3] smbd/password.c:register_vuid(356)
> > Adding homes service for user 'PROTEC+fx805-02-p$' using home
> > directory: '/home/PROTEC/fx805-02-p_'
> > [2010/05/05 14:34:39, 3] param/loadparm.c:lp_add_home(2691)
> > adding home's share [fx805-02-p$] for user 'PROTEC+fx805-02-p$' at
> > '/home/PROTEC/fx805-02-p_'
> > [2010/05/05 14:34:39, 3] smbd/process.c:process_smb(1083)
> > Transaction 2 of length 84
> > [2010/05/05 14:34:39, 3] smbd/process.c:switch_message(932)
> > switch message SMBtconX (pid 24205) conn 0x0
> > [2010/05/05 14:34:39, 3] smbd/sec_ctx.c:set_sec_ctx(241)
> > setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
> > [2010/05/05 14:34:39, 3] smbd/service.c:make_connection_snum(815)
> > Connect path is '/tmp' for service [IPC$]
> > [2010/05/05 14:34:39, 3] lib/util_seaccess.c:se_access_check(250)
> > [2010/05/05 14:34:39, 3] lib/util_seaccess.c:se_access_check(251)
> > se_access_check: user sid is
> > S-1-5-21-1238498519-1179045160-1496349262-1124
> > se_access_check: also S-1-5-21-1238498519-1179045160-1496349262-515
> > se_access_check: also S-1-1-0
> > se_access_check: also S-1-5-2
> > se_access_check: also S-1-5-11
> > [2010/05/05 14:34:39, 3] smbd/vfs.c:vfs_init_default(95)
> > Initialising default vfs hooks
> > [2010/05/05 14:34:39, 3] smbd/vfs.c:vfs_init_custom(128)
> > Initialising custom vfs hooks from [/[Default VFS]/]
> > [2010/05/05 14:34:39, 3] lib/util_seaccess.c:se_access_check(250)
> > [2010/05/05 14:34:39, 3] lib/util_seaccess.c:se_access_check(251)
> > se_access_check: user sid is
> > S-1-5-21-1238498519-1179045160-1496349262-1124
> > se_access_check: also S-1-5-21-1238498519-1179045160-1496349262-515
> > se_access_check: also S-1-1-0
> > se_access_check: also S-1-5-2
> > se_access_check: also S-1-5-11
> > [2010/05/05 14:34:39, 3] smbd/sec_ctx.c:set_sec_ctx(241)
> > setting sec ctx (10010, 10013) - sec_ctx_stack_ndx = 0
> > [2010/05/05 14:34:39, 3] smbd/service.c:make_connection_snum(1042)
> > 192.168.2.88 (192.168.2.88) connect to service IPC$ initially as user
> > PROTEC+fx805-02-p$ (uid=10010, gid=10013) (pid 24205)
> > [2010/05/05 14:34:39, 3] smbd/sec_ctx.c:set_sec_ctx(241)
> > setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
> > [2010/05/05 14:34:39, 3] smbd/reply.c:reply_tcon_and_X(574)
> > tconX service=IPC$
> > [2010/05/05 14:34:39, 3] smbd/process.c:process_smb(1083)
> > Transaction 3 of length 102
> > [2010/05/05 14:34:39, 3] smbd/process.c:switch_message(932)
> > switch message SMBtrans2 (pid 24205) conn 0x2b6c699f1430
> > [2010/05/05 14:34:39, 3] smbd/sec_ctx.c:set_sec_ctx(241)
> > setting sec ctx (10010, 10013) - sec_ctx_stack_ndx = 0
> > [2010/05/05 14:34:39, 3] smbd/msdfs.c:get_referred_path(636)
> > get_referred_path: |Data| in dfs path \Samba-v\Data is not a dfs root.
> > [2010/05/05 14:34:39, 3] smbd/error.c:error_packet_set(106)
> > error packet at smbd/trans2.c(6309) cmd=50 (SMBtrans2)
> > NT_STATUS_NOT_FOUND
> > [2010/05/05 14:34:41, 3] smbd/process.c:process_smb(1083)
> > Transaction 4 of length 240
> > [2010/05/05 14:34:41, 3] smbd/process.c:switch_message(932)
> > switch message SMBsesssetupX (pid 24205) conn 0x0
> > [2010/05/05 14:34:41, 3] smbd/sec_ctx.c:set_sec_ctx(241)
> > setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
> > [2010/05/05 14:34:41, 3] smbd/sesssetup.c:reply_sesssetup_and_X(1256)
> > wct=12 flg2=0xc807
> > [2010/05/05 14:34:41, 3]
> > smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1038)
> > Doing spnego session setup
> > [2010/05/05 14:34:41, 3]
> > smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1069)
> > NativeOS=[Windows 2002 Service Pack 3 2600] NativeLanMan=[Windows 2002
> > 5.1] PrimaryDomain=[]
> > [2010/05/05 14:34:41, 3] smbd/sesssetup.c:reply_spnego_negotiate(697)
> > reply_spnego_negotiate: Got secblob of size 40
> > [2010/05/05 14:34:41, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(63)
> > Got NTLMSSP neg_flags=0xa2088207
> > [2010/05/05 14:34:41, 3] smbd/process.c:process_smb(1083)
> > Transaction 5 of length 338
> > [2010/05/05 14:34:41, 3] smbd/process.c:switch_message(932)
> > switch message SMBsesssetupX (pid 24205) conn 0x0
> > [2010/05/05 14:34:41, 3] smbd/sec_ctx.c:set_sec_ctx(241)
> > setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
> > [2010/05/05 14:34:41, 3] smbd/sesssetup.c:reply_sesssetup_and_X(1256)
> > wct=12 flg2=0xc807
> > [2010/05/05 14:34:41, 3]
> > smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1038)
> > Doing spnego session setup
> > [2010/05/05 14:34:41, 3]
> > smbd/sesssetup.c:reply_sesssetup_and_X_spnego(1069)
> > NativeOS=[Windows 2002 Service Pack 3 2600] NativeLanMan=[Windows 2002
> > 5.1] PrimaryDomain=[]
> > [2010/05/05 14:34:41, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(739)
> > Got user=[smg] domain=[SAMBA-V] workstation=[FX805-02-P] len1=24
> > len2=24
> >
> >
> >
More information about the samba
mailing list